Semi-invasive attacks – A new approach to hardware security analysis

This technical report is based on a dissertation submitted September
2004 by the author for the degree of Doctor of Philosophy to the
University of Cambridge, Darwin College.

Abstract

Semiconductor chips are used today not only to control systems, but also
to protect them against security threats. A continuous battle is waged
between manufacturers who invent new security solutions, learning their
lessons from previous mistakes, and the hacker community, constantly
trying to break implemented protections. Some chip manufacturers do not
pay enough attention to the proper design and testing of protection
mechanisms. Even where they claim their products are highly secure, they
do not guarantee this and do not take any responsibility if a device is
compromised. In this situation, it is crucial for the design engineer to
have a convenient and reliable method of testing secure chips.

This thesis presents a wide range of attacks on hardware security in
microcontrollers and smartcards. This includes already known
non-invasive attacks, such as power analysis and glitching, and invasive
attacks, such as reverse engineering and microprobing. A new class of
attacks – semi-invasive attacks – is introduced. Like invasive attacks,
they require depackaging the chip to get access to its surface. But the
passivation layer remains intact, as these methods do not require
electrical contact to internal lines. Semi-invasive attacks stand
between non-invasive and invasive attacks. They represent a greater
threat to hardware security, as they are almost as effective as invasive
attacks but can be low-cost like non-invasive attacks.

This thesis’ contribution includes practical fault-injection attacks to
modify SRAM and EEPROM content, or change the state of any individual
CMOS transistor on a chip. This leads to almost unlimited capabilities
to control chip operation and circumvent protection mechanisms. A second
contribution consist of experiments on data remanence, which show that
it is feasible to extract information from powered-off SRAM and erased
EPROM, EEPROM and Flash memory devices.

A brief introduction to copy protection in microcontrollers is given.
Hardware security evaluation techniques using semi-invasive methods are
introduced. They should help developers to make a proper selection of
components according to the required level of security. Various defence
technologies are discussed, from low-cost obscurity methods to new
approaches in silicon design.